py-mine/PyMine-Server

Implement code signing for plugins

456dev opened this issue · 3 comments

456dev commented

Features

  • Support for importing plugins from a zip file (modules already support this)
  • Generate a private distribution key to sign build information and confirm it has been reviewed and is safe
  • Use a private developer key to confirm the author of the code to a developer
    • Think about how this should work with repositories and many contributors. author should sign off on module being published?
  • Publish a github action to automate building of plugin zip file (zip it up, code sign it using github secrets), trigger rest api of plugin distribution server with artifact (module) and public signed thing
    server should find find public cert url and verify authenticity of plugin zip.
  • Developer signs build, now malicious actor cant change file without invalidating dev cert signing
  • Publishes to distributor, distributor uses their private key to sign the build information, including module file hash. this prevents distributor of file information (mitm) the distributor should only sign file info if it is confirmed to be safe (after reviewing built code, and inspecting it for malice/TOS breaking stuff.
  • Needs to be a way to revoke the previous signing, say if bad code sneaks through there isn't a authentic but misleading signature,

Reasons

  • This prevents man in the middle attacks between the developer and the distribution server, and the distribution server and the user. it also prevents against a bad actor re-packing malicious code to pretend to be the dev, as they do not have the signing cert.
  • The single file zip plugin is to make it easy to download and sign.
  • The client should be able to verify both certs, and also trust custom ones.
  • It should follow the trust tree, starting with the official server signing cert. it should be the cert authority for trusting other distribution servers at different levels. also, import own cert authority allows for internal use, and for third parties

https://stackoverflow.com/questions/21122426/pgp-gpg-signed-python-code

the456gamer commented

Import processing
-> finds all plugins in a directory, stores as a list of paths to import
for each, call import with the extra hook. this extra hook verifys the developer signiture and the publisher/distrobution signiture. if either check fails, should either: warn the user, ask to continue
if debug mode: -> warn in console, contiue w/o prompt (maybe a config option just for plugin development, and documented that it reduces saftey/security)
if secure mode: reject plugin outright with error, require all plugins be signed.